Man in the Browser

Man in the Browser

Man-in-the-Browser (MitB), a form of Internet threat related to Man-in-the-Middle (MitM), is a trojan that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter a MitB attack is by utilising transaction verification. A related attack that is simpler and quicker for malware authors to set up is termed Boy-in-the-Browser (BitB).[1]

The Man-in-the-Browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "O futuro dos backdoors - o pior dos mundos" ("The future of backdoors - worst of all worlds").[2] It was named as MitB by Philipp Gühring in a white paper "Concepts against Man-in-the-Browser Attacks", 27 January 2007.

The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities such as Browser helper Objects, Extensions and User scripts etc., and is therefore virtually undetectable to virus scanning software.[3]

In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification. An example of a MitB threat is Silentbanker.[4]

One of the most effective methods in combating a MitB attack is through an out-of-band (OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call. OOB Transaction Verification is ideal for mass market use since it leverages devices already in the public domain (e.g. Landline, Cell Phone, etc) and requires no additional hardware devices yet enables Three Factor Authentication (utilising Voice Biometrics), Transaction Signing (to non-repudiation level) and Transaction Verification. The downside, of course, is that the OOB Transaction Verification adds to the level of the end user's frustration with more and slower steps.

External links

References

  1. ^ Koziol, Jack (15 March, 2011). "Imperva’s Amichai Shulman Discusses the Boy in the Browser Attack". http://resources.infosecinstitute.org/imperva’s-amichai-shulman-discusses-the-boy-in-the-browser-attack/. Retrieved 2011-03-15. 
  2. ^ Paes de Barros, Augusto (15 September, 2005). "O futuro dos backdoors - o pior dos mundos" (in Portuguese)). Sao Paulo, Brazil: Congresso Nacional de Auditoria de Sistemas, Segurança da Informação e Governança - CNASI. http://www.paesdebarros.com.br/backdoors.pdf. Retrieved 2009-06-12. 
  3. ^ Gühring, Philipp (27 January, 2007). "Concepts against Man-in-the-Browser Attacks". http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf. Retrieved 2008-07-30. 
  4. ^ Symantec Marc Fossi (2008-01-23). "Banking with Confidence". http://www.symantec.com/connect/blogs/banking-confidence. Retrieved 2008-07-30. 

See also


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Man-in-the-middle attack — Not to be confused with Meet in the middle attack. In cryptography, the man in the middle attack (often abbreviated MITM), bucket brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent …   Wikipedia

  • Man Is the Bastard — MITB redirects here. For Man in the Browser (MitB), see Man in the Browser. Man Is the Bastard Also known as Charred Remains Origin Claremont, California, USA Genres Power violence Hardcore punk Crust punk …   Wikipedia

  • Man page — The man page on man Man pages (short for manual pages) are the extensive documentation that comes preinstalled with almost all substantial Unix and Unix like operating systems. The Unix command used to display them is man. Each page is a self… …   Wikipedia

  • Browser game — Freeciv.net is a HTML5 browser game A browser game is a computer game that is played over the Internet using a web browser.[1] Browser games can be created and run using standard web technologies …   Wikipedia

  • The Gutenberg Galaxy — {|infobox Book name = The Gutenberg Galaxy author = Marshall McLuhan cover artist = country = Canada language = English genre = History publisher = University of Toronto Press release date = 1962 media type = Print (Paperback) pages = 293 p.… …   Wikipedia

  • The Masquerade (Atlanta) — The Masquerade The Masq The Masquerade, January 2006 Location 695 North Ave Atlanta, Georgia 30308 Type …   Wikipedia

  • The Cantos — by Ezra Pound is a long, incomplete poem in 120 sections, each of which is a canto . Most of it was written between 1915 and 1962, although much of the early work was abandoned and the early cantos, as finally published, date from 1922 onwards.… …   Wikipedia

  • The National Map Corps — consists of volunteers who devote some of their time to provide cartographic information to the U.S. Geological Survey. The only requirements to participate are having access to the Internet and a current familiarity with the area being… …   Wikipedia

  • The Fame — On American pressings of the album, Lady Gaga is written in red text …   Wikipedia

  • The Book of Mozilla — Das Buch Mozilla, 7:15, dargestellt in Mozilla Firefox Das Buch Mozilla ist ein bekanntes Computer Easter Egg, das man sowohl im Netscape Navigator als auch in den Webbrowsern von Mozilla finden kann. Inhaltsverzeichnis …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”